FUTURE OF AUDIT
© ICAEW 2019
All rights reserved. If you want to reproduce or redistribute any of the material in this publication, you should first get
ICAEW’s permission in writing. ICAEW will not be liable for any reliance you place on the information in this publication.
You should seek independent advice.
2
FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT
Contents
1
FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT
Questions about the value of audit as it stands and calls for auditors to do more are nothing new. But
claiming that the only real problem lies in the fact that audits and auditors are misunderstood, and that
the solution therefore lies in ‘educating the public’, is no longer acceptable, if it ever was.
A clear understanding of what auditors do now is important if opportunities for extending the scope of
what can and should be audited are to be explored, if what auditors currently do is to be enhanced, and
if confidence in the value of audit and other assurance services is to be improved. In this paper we focus
on the audit of listed and other public interest entities rather than smaller audits, although many of the
principles apply to both.
Essentially, an audit involves three elements:
• a
substantial risk assessment: auditors build up a detailed understanding of the business to enable
them to assess the risk that the financial statements as a whole might be materially misstated, and the
risk that the individual elements within the financial statements might be materially misstated. The
greater the risk, the better the audit evidence will need to be;
• e
vidence-gathering in response to the risk assessment, intended to reduce the risk that there
will still be a material misstatement, even after the audit, to an acceptable level. A great deal of
evidence-gathering is about challenging management and corroborating explanations, ie, not taking
explanations at face value, even if they appear to be plausible; and
• the audit opinion reported to shareholders, based on the evidence obtained.
Some risks may be common to different companies in the same sector, but the extent of the risk is often
different and no two companies are the same; the assessed risks of material misstatement are always
unique. The ability to identify and assess risk effectively is a critical audit skill, requiring substantial
resource, training and experience. Auditors look for what might be missing, as well as what they are
presented with, and they are required to exercise professional scepticism throughout the audit. This
means that any suggestion that something might be wrong must be investigated and that conflicting
evidence cannot be ignored, although it does not mean that auditors have to assume that everything
they are presented with is necessarily wrong or fabricated. Professional bodies, auditors, auditing
standard-setters and academics continue to work on the impact of conscious and unconscious bias in
audit, and there have been important developments in recent years in techniques that help to
counteract it.
Higher-risk areas can relate to revenue, debtors, inventory, financial instruments, construction contracts
or the valuation of assets and liabilities more generally, for example. It is widely acknowledged that
companies in which financial reporting is well controlled are easier to audit than those in which it is not,
not least because fraud is easier to conceal in companies with a poor control environment.
Auditors look for any misstatement, regardless of how it is caused. If they suspect that material
misstatements might be due to fraud, rather than simple error, which is much less likely to be concealed,
they are required take a very different approach to evidence-gathering in that area. And an entity’s
compliance with laws and regulations, including the legality of dividends, is always relevant to the audit if
misstatements arising from non-compliance might be material.
Risk assessment and evidence-gathering both involve evaluating and often testing controls, discussions
with directors, senior management and staff, and a variety of analytical procedures and detailed tests
of transactions and balances, some of which has been substantially enhanced in recent years by the
use of data analytics. Auditors do not just look at evidence generated by the company. Confirmation
of transactions and balances with third parties is a routine audit procedure, including confirmation
of debtors, creditors, inventory and bank balances. Developments in data analytics increasingly
enable auditors to compare internally generated information with independently generated data and
information.
2
FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT
All of this is done with a view to obtaining sufficient, appropriate audit evidence to support the audit
opinion which is reported to shareholders. Audits are performed in accordance with UK auditing
standards with which all UK auditors are required to comply.
UK auditing standards are available for anyone to read on the Financial Reporting Council’s website.
They are closely aligned with International Standards on Auditing (ISAs) used in over 175 countries. Both
run to well over 1,000 pages of detailed requirements and guidance. In addition to the basics noted
above – covering risk assessment, evidence-gathering and reporting – they cover more detailed areas
such as sampling, group audits, and work on opening balances and related party transactions.
Auditors are specifically required to evaluate the appropriateness of accounting policies, the
reasonableness of estimates and the overall presentation and structure of the financial statements. They
are required to obtain written representations from management on a number of matters and, hardly
surprisingly, comply with extensive documentation requirements. The documentation requirements
serve as a record, for quality management purposes, and demonstrate compliance with the relevant
requirements to internal and external reviewers. Audit firms embed these requirements and the
associated guidance in their methodologies.
Auditors are also required to comply with detailed legal, regulatory, ethical and quality management
requirements, including independence requirements. They report their audit opinion to the shareholders
and they may also be required to report specific matters to regulators – such as the Prudential Regulation
Authority for companies in the financial services sector, or the Solicitors Regulation Authority for legal
services firms. Legislation permits and obliges auditors – among others – to report suspicions of money
laundering or drug trafficking, for example, to the relevant authorities. These rights and duties have been
extended in recent years.
3
FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT
4
FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT
5
FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT
Audited financial statements generally appear at the back of annual reports. Commonly included in
the front end are financial and other highlights, including key performance indicators (KPIs), a strategic
report, statements by the chairman and chairs of audit, remuneration and risk committees, and
environmental, social and governance (ESG) information.
For many years, audit reports referred to the information audited using page numbers. But the annual
report within which the financial statements are housed has grown, what auditors are required to do
has become more complex, the page numbers have disappeared and there remain misunderstandings
about how much of the annual report auditors actually audit. The solution is not simply a case of
re-instating the page numbers.
A random sample of five annual reports of FTSE 100 companies1 for 2018 showed that between 25%
and 40% of the total number of pages contained at least some audited information. This generally
consisted of two elements only: the audited financial statements, and information elsewhere in the
annual report concerning directors’ remuneration. This does not mean, however, that auditors simply
ignore all of the other front-end information.
Successive waves of changes to company law, the UK Corporate Governance Code (the UK Code) and
the continuing obligations of listing have steadily increased the procedures auditors are required to
perform on the other information that accompanies audited financial statements. In short, auditors are
required to ‘read’ and/or ‘review’ specific parts of the annual report in various different ways.
The current audit model requires auditors to read (in a literal sense) all of the other information for
inconsistencies with the audited information and the auditors’ knowledge of the business obtained
during the audit. They are required to review the directors’ viability statement and assessment of
principal risks for compliance with the UK Code, and they must state whether in their opinion the
strategic and directors’ reports are prepared in accordance with legal requirements. But there are no
specific procedures auditors are required to perform on the critical KPIs.
The current read requirement involves substantially less work than a review, and both read and
review requirements involve substantially less work than an audit. For example, directors are currently
required to make a statement to the effect that the annual report in its entirety is ‘fair, balanced and
understandable’. Auditors are not currently required to provide assurance on that statement, or on the
KPIs. If they were, it is likely that a great deal more work on controls over the preparation of the statement
and the KPIs would be required. Enhancing current requirements would require more work – despite the
fact that firms often do more than is actually required on the other information – but it might also better
meet expectations.
1
Diageo, Vodafone, Severn Trent, EasyJet and M&S, accessed online 11 March 2019.
6
FUTURE OF AUDIT WHAT AUDITORS DO: THE SCOPE OF AUDIT
An audit is not an insurance policy that pays out if the financial statements are misstated. It is a
professional opinion based on work performed according to auditing standards that have developed
over many years and have been revised and revised again with the benefit of hindsight. Audit opinions,
and the increasingly lengthy and complex auditing standards on which they are based, may be
embedded in company law, regulation and professional practice but they are not written in stone and
they can be changed.
There is undoubtedly room for auditors to do more. While the current audit model does not involve
any form of assurance or commentary on the full annual report – on the KPIs, the viability of an entity,
or on the quality of its internal controls, among other things – none of these is impossible. Reporting
on internal controls over financial reporting, for example, is already in place in the US and Japan.
Understanding how those regimes work, and how effective they are, will be important when considering
if and how a similar regime might be introduced in the UK.
Upcoming essays in this series will examine a number of these areas in more detail.
7
The future of audit – your views
The collapse of Carillion in 2018 has led to increased political and public scrutiny of the audit
profession, and has eroded trust in auditors. As discussions about the future of audit continue
to evolve, the Audit and Assurance Faculty intends to influence the debate through a series
of succinct, high-level thought leadership essays that consider a range of issues directly or
indirectly relevant to the debate. We would welcome your views on these issues. Please email
nigel.sleigh-johnson@icaew.com
www.charteredaccountantsworldwide.com
www.globalaccountingalliance.com
ICAEW
Chartered Accountants’ Hall
Moorgate Place
London
EC2R 6EA
UK